The General Data Protection Regulation (GDPR) has been with us since 2018, the latest in a long line of data protection rules aimed at protecting personal information of individuals. The Regulation introduced a significant number of obligations for all organisations handling data of individuals; in this article we recap some of the key obligations all businesses must meet.
A lengthy Regulation, at 99 Articles in 11 Chapters, and 173 Recitals, the original EU GDPR contains numerous obligations on all data controllers and data processors. These were implemented into UK law via the Data Protection Act of 2018, and have been supplemented by several UK-specific requirements.
Some of the key responsibilities of data processors - anyone who processes personal data on a subject - are:
Transparency: As a data processor, an organisation must provided all data subjects (individuals whose data they process) with information on the type of processing taking place, and who is carrying out that processing. Information should be disclosed on why the data is being processed (for example, if they are an employee, you will need data to be able to process their salaries), under what legal basis it is processed (for example, required for the performance of a contract, or compliance with a legal obligation), and how long it is being stored for. Data subjects should also be informed of their rights under data legislation, such as their rights to access the data held about them, and their right to object to some, or all, of their data being held or processed.
Data access requests: One of the rights of a data subject is to request a copy of the data that is held about them, free of charge and in a format that is accessible to them. Such requests must be honoured on a timely basis, with the data provided within one month of the request. Alongside the data provided, the individual must be given information about how their data is processed, and under what legal basis.
Breaches: Even with the most robust systems, there is a chance that a breach of data protection legislation will occur. Where a breach “presents a risk to the affected individuals”, it must be reported to the Information Commissioner’s Office (ICO) via their website, within 72 hours of becoming aware of the breach. Where a breach presents a “high risk to affected individuals”, those individuals must also be informed in a timely manner.
Data protection legislation brings many obligations for businesses. However, the key to meeting many of these requirements is to have well-constructed policies that are regularly reviewed. Such policies, accompanied by regular risk reviews, can assist with identifying and mitigating data protection risks, as well as demonstrating compliance should any regulatory investigation or breach occur.
Further information on UK GDPR can be found on the Information Commissioner’s Office website at https://ico.org.uk.
The contents of this article are meant as a guide only, and are not a substitute for professional advice. The authors accept no responsibility for any action taken, or refrained from, as a result of the material contained in this document. Specific advice should be obtained before acting, or refraining from acting, in connection with the matters dealt with in this article.